In remote-computing environments, customers of a remote-computing service may access resources of the service to perform a variety of tasks. For instance, the customers may access a storage resource of the remote-computing service to store data or to obtain or alter previously-stored data. The customers may also access a compute resource of the service to configure an application to run atop the compute resource. The remote-computing service may additionally or alternatively offer any number of other resource types, each of which customers of the service may utilize and access.
In some instances, the remote-computing service may allow an individual customer to create multiple accounts associated with respective users. As such, individual users of a particular customer may access the remote-computing services by providing the respective user's credentials (e.g., username and password). For instance, a business customer that subscribes to a set of services that the remote-computing service offers may create user accounts for each of multiple different employees to allow each of these employees to access needed services. In addition, certain applications associated with the particular customer may need and obtain access to the services provided by the remote-computing service.
Many times, however, a particular customer has a single access policy governing each user's and each application's access to the services of the remote-computing service. This generic access policy often does not meet a customer's needs, as a particular user of the customer may need more or less access than the generic policy grants. In other instances, meanwhile, an administrator of the customer may assign different access policies to different users and/or applications. However, because the administrator may not know exactly what each user or application needs access to—and what the user or application should not or need not have access to—these resulting policies are also often ill-suited for the particular user or application.